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Glossary of Terms 

Throughout this document, unless otherwise stated, the words in the first column below have the meanings 
stated opposite them in the second column: 


Cause: 

Underlying internal or external factor that results in an event. 

Controls: 

Measures that include any processes, policies, procedures, practice or 
actions intended to modify the risk. 

CRO: 

Chief Risk Officer. 

ERM: 

Enterprise Risk Management. 

Enterprise Risk 
Management: 

A formal response to corporate risk. It is a structured and systematic process 
that is interwoven into existing management responsibilities. 

ERM Framework: 

The enterprise risk management framework is an outline interpretation of the 
risk management policy statement. 

ERM Strategy: 

The enterprise risk management strategy is a document that details how the 
risk management policy statement will be operationalised within the HSRC. 

Event: 

An incident or occurrence, from internal or external sources that could affect 
the implementation of strategy or achievement of objectives. 

Event Identification: 

A process of documenting internal and external events that could affect the 
achievement of objectives, distinguishing between risks and opportunities. 

Impact: 

Result or effect of an event. There may be a range of possible impacts 
associated with an event. The impact of an event can be positive or negative 
relative to the department’s related objectives. 

Inherent Risk: 

Risk to the department in the absence of any action management might take 
to alter either the risk’s likelihood or impact. 

Key Risk Indicators 
(KRIs): 

Are measures used by management to indicate how risky an activity is. KRIs 
give us an early warning to identify potential event that may harm continuity 
of the activity/project. 

Likelihood: 

The assessment of the probability that a risk will occur. 

Loss Control: 

A multidisciplinary approach in which human, engineering, and risk management 
practices are employed to reduce the frequency or severity of losses and incidents. 

Opportunity: 

Possibility that an event will occur and positively affect the achievement of 
objectives. 

PFMA: 

Public Finance Management Act, Act No.1 of 1999, as amended. 

PSRMF: 

Public Sector Risk Management Framework. 

Residual Risk: 

The risk remaining after management has taken action to reduce the impact 
and/or likelihood of a risk. 


ERM Strategy Volume I: Risk Management Methodology 


Page 3 of 31 







rirl HSRC 

Human Sciences 
■ - Research Council 


Risk: 

The consequence of any action or event that is currently occurring or that has 
a reasonable chance of occurring in the future, which could undermine the 
achievement of goals and objectives. 

Risk Appetite: 

The amount of risk an entity is willing to accept in pursuit of value. 

Risk Assessment: 

A process that allows an institution to consider how potential events might 
affect the achievement of objectives. 

Risk Avoidance: 

A process of planning activities to avoid risks which have been identified by 
using an alternative method of service delivery. 

Risk Exposure: 

Portion of the range of possible outcomes of future events for which the 
department is susceptible to loss. 

Risk Identification: 

A process that allows an institution to consider external, internal, financial and 
non financial factors that can influence an institution’s policies and 
achievement of objectives. 

Risk Management: 

A systematic process to identify, evaluate and address risks on a continuous 
basis before such risks can impact negatively on the institution’s service 
delivery capacity. 

RM Policy Statement: 

The risk management policy statement is a document that illustrates the 
philosophy of the HSRC Board on risk management, anti-corruption and 
compliance. It also indicates what needs to be done. 

Risk Rating: 

The allocation of a classification to the impact and likelihood of a risk. 

Risk Register: 

A tool commonly used to record detailed information about potential risks. It 
serves as an up to date information database about the status of individual 
risks. 

Risk Response: 

A process of assigning risk owners for each risk; determining the best 
strategy for responding to risks, developing and implementing risk treatment 
plans. 

Risk Tolerance: 

The acceptable variation relative to the achievement of objectives. 

Risk Tolerance Levels: 

The level of risk exposure that management is prepared to tolerate. 

Risk Treatment Plan: 

A risk treatment plan is a document developed on a case-by-case basis as 
part of the risk management plan, detailing risk treatment strategies and 
resources. It also serves as a tracking document to monitor effectiveness of 
treatment actions to manage a specific risk, detailing what actions will be 
taken to address the risk including preventative measures, disaster recovery 
and business continuity. 

Uncertainty: 

Inability to know in advance the exact likelihood or impact of future events. 
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Enterprise Risk Management (ERM) Strategy 
Volume I: Risk Management Methodology 

This policy subsumes and supersedes the HSRC Risk Management Framework approved by the HSRC 
Board on 21 May 2009. 


1. Introduction 

1.1. Statement of principle 

In terms of the HSRC Risk Management Policy Statement approved by the HSRC Board on 26 August 
2010, the HSRC acknowledges its responsibility to manage and use public funds in a responsible 
manner, and therefore are committed to identify, address and appropriately manage any risks that may 
affect the safety and wellbeing of HSRC employees and the public, financial stability and ability to 
achieve the strategic objectives of the HSRC. 

Responsible management of public funds is an integral part of identifying threats and hindrances before 
they occur, therefore an enterprise-wide approach to the management of risk is adopted because it 
recognises that risks and opportunities are dynamic, often highly interdependent and ought not to be 
considered and managed in isolation. Management of risk shall encompass identification of interrelated 
risks and strategies that can be applied transversally to minimise the cost of managing risk. 

Management of the HSRC, are expected to always conduct a cost-benefit analysis before implementing 
risk treatments in order to ensure that resources are utilised in a cost-effective manner. 

1.2. Purpose 

This policy is established to facilitate management of risks by providing risk management methodology, 
outlining different roles and providing guidelines to the different role-players on how to carry out their 
responsibilities. 

1.3. Scope of the ERM Strategy 

The ERM Strategy applies to all employees and all divisions of the HSRC. The HSRC Board as part of 
delivering on its oversight responsibilities will hold management accountable for the management of 
strategic risks and implementation of this strategy. 

The Chief Executive Officer; Executive Management and Business Unit Managers, as implementers of 
risk management, are responsible for the management of risks and implementation of this Strategy. 

1.4. Application of the ERM Strategy 

Where this Strategy is breached by an official, the manager of the official may take disciplinary action in 
line with the approved HSRC’s Disciplinary Code and Procedures. 

1.5. Definition of risk 

There are numerous definitions of risk, which are informed principally by the context in which they are 
applied. Clearly defining risk and ensuring that all role players understand what risk is to the HSRC is 
vital for enterprise risk management to be effective. The following definition was adapted from the King 
III Report: 

“Risks are uncertain future consequences of events/actions that could undermine the achievement of 
HSRC’s objectives.” 
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2. Enterprise Risk Management Framework 

In order for ERM to be effective, it relies on various interrelated and inter-dependent components as 
outlined in the following diagram: 


HSRC ENTERPRISE RISK MANAGEMENTFRAMEWORK 
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Chief Risk Officer 
Role: Coordinates RM activities; 

Establishes, monitors 
i m pi em entati on & m ai ntai ns the 
ERM Strategy; Provide support 
service & advice on RM matters. 
Develop, communicated 
maintain the risk profile 


Risk Owners 

Role: Develop risk treatment plans 
(RTPs), Ensure implementation St 
report on RTPs, Report emerging 
risks 


Internal Auditors 
Role Provide independent 
assurance on the effectiveness of 
RM activities; Review 
appropriateness of risk philosophy, 
combined assurance plan and risk 
tol er ance f ram ew ork 
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External Auditors 
Role: Assess risks of m aterial 
misstatement of financial 
statem errts & m ake judgem errts 
about the size of misstatements; 

Adopt a risk-based audit 
approach; Plan& perform further 
audit procedures responsive to 
the risk assessment; Assess 
compliance with applicable 
legislation 
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Establish the Context 

Strategic Context Strategicobjectives;Shareholder’s 
compact, stakeholder expectations; SWOT analysis, 
risk evaluation criteria 

Organisational Context; Goals& Objectives (HSRC); 
Strategiesto achieve goals & objectives; risktolerance 
framework oversight structures 

Risk Management Context ERMStrategy, Goals & 

0 bj ectives (E R M ); I nf orm ati on m anagem ent, S cope & 
boundaries for ERM; Role players & responsibilities 


Risk Identification 

What can happen? How & why it can happen? Tools & 
techniques to gather data 


Risk Assessment 


Risk Analysis 


Determine existing controls 


Determine 

Likelihood 
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Impact 




Determine level of risk 


Risk Evaluation 

- Compare against criteria 

- Establish risk priorities 


Risk Treatment 

-Assign risk o wners 
- Determine riskresponse strategies 
- Develop risktreatment plans 
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Executive Authority (DST) 

Role; Oversees RM Activities, Monitors RM 
compliance. Monitors Seivice Delivery of 
HSRC 


HSRC Board 

Role: Oversee effectiveness of RM 
Activities Approve ERM Strategy. Risk 
Profile, RiskTreatment Plans & Risk 
T olerance Framework 


Audit & Risk Committee 
Role Oversee RM Activities Endorsement 
of the ERMStrategy, Risk Profile, Risk 
T r eat merit Plans, Combined Assurance Plans 
&RiskTolerance Framework Approve Risk- 
Based Internal Audit Plan 


Risk Management Committee 
Role: Reviews & makes recommendations 
on the ERM Strategy, Risk Profile, Risk 
Treatment Plans. Combined Assurance Plans 
&RiskTolerance Framework 


Chief Executive Officer 
Role: Oversees & reviews RM Activities, 
Delegates responsibility for RMto all 
employees; Integrates RM into all strategic 
management processes & Monitors 
management of significant risks 


Management & Officials 
R ol e: I m pi em ent R M pri nci pi es i n thei r 
respective areas of responsibility; Implement 
& report on RiskTreatment Plans, Report 
emerging risks 


3. Risk Management Process 

Risk management is a systematic and a continuous process of identifying and analysing risks and, where 
appropriate, taking adequate steps to address these risks before they can impact negatively on service 
delivery capacity. 

It is a management approach that increases prospects of success through getting-it-right-the-first-time and 
minimizing negative outcomes. It forms part of management’s core responsibilities and is an integral part of 
HSRC’s internal processes. The process of risk management systematically follows the following steps: 
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3.1. Step 1: Establish the context 

This process occurs within the strategic context and immediately follows the objective setting and 
business planning process. It is undertaken to define the basic parameters within which risks must be 
managed, and sets the scope for the rest of the risk management process. This step comprises of the 
following areas: 

(a) Establish strategic context 

The context includes financial, operational, competitive, political reputational, social, cultural and 
legal aspects of the institution’s functions. It involves: 

(i) Defining the relationship between the HSRC and its environment; 

(ii) Identifying institutional strengths, weaknesses, opportunities and threats; 

(iii) Identifying internal and external stakeholders, and considering their objectives, take into account 
their perceptions, and establishing communication policies with these parties; 

(iv) Determining crucial elements which might support or impair the HSRC’s ability to manage the 
risks it faces; 

(v) Ensuring that there is a close relationship between the HSRC’s mission; strategic objectives and 
the management of all risks to which the HSRC is exposed. 

(b) Establish organizational context 

Before a risk management activity is commenced, it is necessary to understand the institution and 
its capabilities, as well as its goals and objectives and the strategies that are in place to achieve 
them. Therefore: 

(i) Risk management will take place in the context of wider goals, objectives and strategies of the 
institution; 

(ii) Inadequate or poor performance in delivering on the objectives of the institution or specific 
activities, or project is one set of risks which shall be managed; 

(iii) The ERM Strategy defines the criteria by which it is decided whether a risk is acceptable or not, 
and form the basis of options for risk treatment. 

(c) Establish a risk management context 

The goals, objectives, strategies, scope and parameters of the activity, or part of the institution to 
which the risk management process is being applied, shall be established. The process shall be 
undertaken with full consideration of the need to balance costs, benefits and opportunities. The 
resources required and the records to be kept shall also be specified. Setting the scope and 
boundaries of the risk management process will involve: 

(i) Defining the extent and comprehensiveness of the risk management activities to be carried out. 
Specific issues which will be considered include the following: 

• The roles and responsibilities of various parts of the institution participating in managing 
risk; 

• Relationships between the strategic objectives, project and other projects or parts of the 
HSRC; 

• Determination of interdependencies and relationships between the risk areas i.e. how the 
risk areas impact on one another (cross-impact analysis). 
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(d) Develop risk evaluation criteria 

The HSRC Board shall decide on criteria against which risk is to be evaluated. Decisions concerning 
risk acceptability and risk treatment shall be based on operational, technical, financial, legal, social, 
humanitarian or other criteria, depending on strategic objectives and the interests of stakeholders. 
Through the risk tolerance framework and the materiality & significance framework, risk evaluation 
criteria shall be further refined as particular risks are identified and risk analysis techniques chosen 
to ensure that the risk criteria corresponds with the type of risks and the way in which risk levels are 
expressed. 


3.2. Step 2: Risk Identification 

The process of risk identification shall involve utilisation of various techniques and models to ensure that 
no critical risks are missed out. The following approaches shall be utilised: 

(a) Objective-based Risk Assessment Model 

The best people to identify risks using this method are those who are expected to implement the 
objectives because they are aware of the various activities, opportunities and challenges in 
implementing the objectives. The objective-based risk assessment model (ORA) follows the 
following process: 

a) Defining the objectives 

The overall perspective of objectives is defined in the 5-year Strategic Plan of the HSRC. 
Business units therefore shall define their objectives based on the strategic priorities identified in 
the strategic plan depending on where they fit into the bigger picture i.e.: 

(i) Who they are as a team; 

(ii) Who reports to them; 

(iii) What they are responsible for; and 

(iv) Who they report to; 

b) Articulating the objectives 

In order to ensure successful operationalisation of the strategic plan business units need to 
establish: 

(i) What specifically needs to be achieved? 

(ii) What the intended outcome is? 

(iii) What the foundational assumptions are to achieve it? 

This process shall result in the annual performance plan of the business units. 

c) Measurable outcomes 

Business units shall establish how success will be measured by assigning performance 
indicators to each specific objective. 

d) Achievement status 

Looking backwards on the operations of the business units, management shall establish how 
their units have performed over time in order to determine their status of achieving each 
objective and to prioritise each objective relative to each other. 
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e) Assessing the risks 

During this step management identify the main uncertainties that can have a major impact on 
their objectives. External uncertainties are usually beyond management control, however, 
management shall develop business continuity plans to alleviate the impact of these 
uncertainties. What can prevent achievement of objectives and what can aid achievement of 
objectives shall also be identified by conducting SWOT analysis for each objective. For this step 
to be undertaken successfully, the following data sources shall be utilised: 

(i) Process Mapping 

Process mapping shall be used to identify interdependent, critical and vulnerable functions 
and activities in all high risk areas. 

(ii) Business Impact Analysis (BIA) reports 

BIA reports shall be developed and utilised as reference documents in the risk assessment 
process. 

(iii) Brainstorming 

Brainstorming is a technique of solving specific problems, amassing information, 
stimulating creative thinking, developing new ideas, etc., by unrestrained and spontaneous 
participation in discussions. This shall be done through facilitated workshops to provide 
meaningful information in the risk assessment process. 

(iv) Document Reviews 

Review of the institution’s internal policies; operational reports and procedure manuals 
shall also provide useful information on the risks the institution may be faced with as well 
as an understanding of what risk treatment strategies would work best for the institution. 

(v) Internally Generated Data/ Historical Experiences 

Analysing information from Annual reports; financial statements; loss control reports; 
incident reports; corruption database; litigation register etc shall be utilised to predict future 
events. This is the most effective approach as it provides better unbiased results and a 
basis for risk rating. 

(vi) Market Research & Relevant Published Material 

Understanding what is happening in global markets and how it affects the business of the 
HSRC shall be critical to ensure that risk identification is conducted appropriately. Although 
it is outside the control of the HSRC to prevent systemic risks, management shall develop 
business continuity plans to ensure recovery in the event of a systemic risk materialising. 

(vii) Specialist Expert Judgements 

Specialist areas such as health & safety; scientific research & IT will require expert 
judgement to identify risks in these areas adequately. Internal and External Audit reports 
shall provide a specialist and independent insight into the institution. The Institutional 
Review Report shall also serve as a crucial data source for risk identification within the 
HSRC. 
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(b) Scenario Planning 

Scenario planning shall be used as an additional methodology to identify project-related risks in the 
following process: 

a) Identification of external forces 

From several external-forces related-changes which might impact the project are imagined e.g. 
change in regulations, demographic changes, topical issues and headlines. 

b) Predicting the future 

For each of the external forces chosen above, management consider three different future 
scenarios which might arise within the project or the institution as a result of each change. 
These shall include best-case, worst-case and reasonable-case scenarios. The worst-case 
scenario shall be reviewed against the institution’s risk tolerance to determine what changes 
need to be made to survive this period or turn things around. 

c) Determination of response action 

What the project manager might do or potential strategies to respond to each of the scenarios 
are determined. 

d) Identification of risk treatment considerations 

Common considerations and issues that must be addressed to respond to possible external 
changes are detected. 

e) Selection of robust response strategies 

The most likely external changes to affect the project are identified and the most reasonable 
strategies project managers can undertake to respond to the change are selected. 


(c) Environmental Scanning 

Environmental scanning is a process of identifying emerging issues, situations, and potential pitfalls 
that may affect an organization’s future. It increases the organization’s awareness of the key risks it 
faces, and the characteristics and attributes of these risks. This method enables decision-makers 
both to understand the external environment and the interconnections of its various sectors and to 
translate this understanding into the institution's planning and decision-making processes; therefore 
it shall be used to: 

• Detect scientific, technical, economic, social, and political trends and events important to the 
institution; 

• Define the potential threats, opportunities, or changes for the institution implied by those trends 
and events; 

• Promote a future orientation in the thinking of management and staff; and 

• Alert management and staff to trends that are converging, diverging, speeding up, slowing 
down, or interacting. 


Key questions that that shall be considered in undertaking this analysis include: 
a) The type of risk i.e. IT/Systems, Financial, Health & Safety; Corruption etc; 
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b) The source of risk i.e. external (political, economic, natural disasters) or internal (inadequate 
resources, security, knowledge management, etc); 

c) What is at risk i.e. areas of impact in the event that the risk materializes and the type of 
exposure (people, reputation, service delivery, finances, materials etc); 

d) The existing controls and their effectiveness i.e. the degree to which the HSRC can 
influence; affect or manage the risk. 

Understanding the organizational context and conducting an environmental scan shall assist the 
HSRC in identifying key risk areas and differentiating between the types of risks, i.e. specific event 
risks and risks that cut across the entire organization (Transversal risks). The scan shall also 
provide the HSRC with meaningful information to set a strategic direction for risk management, 
which can be amended, or adjusted, as more information comes to light, or as the capacity to 
manage risks increases. 


(d) Cross Impact Analysis 

Cross-impact analysis involves identifying and evaluating the impact of trends or events upon each 
other by constructing a matrix to show the interdependencies of different events. The matrix shall list 
the set of events or trends that may occur and the events or trends that would possibly be affected 
by the events. Management shall then assess how the occurrence of each event affects the 
probability of other events. 

This process shall be utilised as part of risk analysis for all areas of the HSRC. 


(e) Structural Analysis 

Structural analysis shall be one of the methodologies used for identification of risks related to 
building and maintenance and infrastructure. Identification of these risks shall require expert skills 
for engineering, electricity etc; therefore this process shall be outsourced. 


3.3. Step 3: Risk Assessment 

The process of risk assessment shall involve risk analysis and risk evaluation as follows: 

(a) Risk Analysis 

The objective of risk analysis is to separate minor acceptable risks from the major risks, and to 
provide data to assist in the evaluation and treatment of risks. Risk analysis involves consideration 
of the sources of risk, their consequences (impact) and the likelihood that those consequences may 
occur. During this stage risk is analysed by combining estimates of impact and likelihood in the 
context of existing control measures. 

a) Determine existing controls 

Identify existing management, technical systems and procedures to control risk and assess their 
strengths and weaknesses. 

b) Impact and likelihood 

The magnitude of consequences (impact) of an event, should it occur, and the likelihood of the 
event are assessed in the context of the existing controls. Impact and likelihood are combined to 
produce a level of risk. Impact and likelihood of risks shall be determined using statistical 
analysis and calculations. 
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To avoid subjective biases, sources of information shall include the following: 

(i) Past records; 

(ii) Loss events and incident register; 

(iii) Corruption database; 

(iv) Relevant experience; 

(v) Industry practice and experience; 

(vi) Relevant published literature; 

(vii) Specialist and expert judgments. 

Where no past data are available, subjective estimates shall be made to reflect the degree of 
belief that a particular event or outcome will occur. To avoid subjective biases the best available 
information sources and techniques shall be used when analysing impact and likelihood. 

c) Risk analysis techniques 

Techniques for risk analysis shall include: 

(i) Structured interviews with experts in the area of interest; 

(ii) Use of multi-disciplinary groups of experts; 

(iii) Individual evaluations using questionnaires; 

d) Types of risk analysis 

Risk analysis shall be undertaken to various degrees of refinement depending upon the risk 
information and data available. Analysis of risks shall be qualitative or quantitative or a 
combination of these, depending on the circumstances. Initially, qualitative analysis shall be 
used to obtain a general indication of the level of risk. Where it is necessary to undertake more 
specific quantitative analysis based on the nature of significant risks identified, quantitative 
analysis shall be performed. 

(i) Qualitative analysis 

Qualitative risk analysis uses word form or descriptive scales to describe the magnitude of 
potential impact and the likelihood that those risks will occur. The qualitative analysis is then 
depicted through a matrix in which risks are assigned to priority classes by combining their 
likelihood and consequence. Risk impact on the ability of the HSRC to deliver on its mandate 
shall be highlighted in the following categories: 

• Financial: The impact of risks to HSRC’s financial stability and ability to maintain funding 
critical activities to deliver on its strategic objectives. 

• Materials: The impact of the risk on material resources and infrastructure such as 
equipment, machinery, vehicles & property that HSRC uses in the activities that are critical 
to its mission. 

• People: The impact of the risk on HSRC’s workforce and other stakeholders. 

• Reputation: The impact of the risk on the public’s perception of the HSRC and its 
stakeholders; and 

• Service Delivery: The impact of the risk on service delivery e.g. project completion. 
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Qualitative risk analysis tables are available as part of guidelines and templates for 
implementation of the ERM Strategy. 


(ii) Quantitative analysis 

Quantitative analysis uses numerical values (rather than the descriptive scales used in 
qualitative analysis) for both impact and likelihood using data from a variety of sources. The 
quality of the analysis will depend on the accuracy and completeness of the numerical values 
used. Risk impact shall be estimated by modeling the outcomes of an event or set of events or 
by extrapolation from experimental studies or past data and expressed in the same categories 
as qualitative analysis. 

Based on the level of risk management maturity within the HSRC, qualitative risk analysis shall 
be the main technique used. Where there is a need for quantitative risk analysis, the HSRC 
Board shall make that call based on circumstances and available resources. 


e) Risk Matrix 

A risk rating matrix shall be utilised to determine the extent of the risk exposure the institution is 
faced with in order to allocate the appropriate response to that specific risk. Management shall 
decide on actions that need to be taken to address the risk based on the following guidelines 
endorsed by the HSRC Board: 



Rare Unlikely Occassional Likely Common 

Likelihood 
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RISK RESPONSE FRAMEWORK 


Risk 

Rating 

Risk 

Magnitude 

Risk 

Response 

Strategy 

Risk Response Action 

15 - 25 


Avoid/ 

Reduce/ 

Transfer 

Management shall take immediate action to 
reduce the risk & monitor effectiveness of 
controls with highest priority. 

Have a contingency plan in place. 

Risks shall be brought to the attention of the 
CEO, RMC, Audit & Risk Committee, and the 
Board. 

8-12 

Medium 

Reduce/Share 

Management shall consider action to reduce 
the risk & monitor effectiveness of mitigation 
strategies. 

Risks shall be brought to the attention of the 
CEO and the RMC. 

1-6 

Low 

Accept 

Management shall keep these risks under 
periodic review. 


(b) Risk Evaluation 

Risk evaluation involves comparing the level of risk found during the analysis process with 
previously established risk criteria. Risk analysis and the criteria against which risks are compared 
in risk evaluation shall be considered on the same basis. The output of a risk evaluation is a 
prioritized list of risks for further action. The objectives of the HSRC and the extent of opportunity 
which could result from taking the risk shall be considered. Decisions shall take account of the wider 
context of the risk and include consideration of the tolerability of the risks borne by parties other than 
the organization which benefits from it. 

Where the resulting risks fall into the low or acceptable risk levels they may be accepted with 
minimal further treatment. Low and accepted risks shall be monitored and periodically reviewed to 
ensure that they remain acceptable. 

and 

Where risks do not fall into the low or acceptable risk levels, they shall be treated using one or more 
of the options considered in the guidelines provided by the Risk Response Framework. 


ERM Strategy Volume I: Risk Management Methodology 


Page 14 of 31 


















LTJ£ 


HSRC 


man Sciences 
Research Council 


3.4. Step 4: Risk Treatment 

Risk treatment involves identifying a range of options for risk response, assessing those options, 
preparing risk treatment plans and implementing them. Risk treatment involves the following processes: 


(a) Assignment of risk ownership 

Risk owners shall be nominated by the respective divisional heads and their main responsibility shall 
be the development of risk treatment plans for the allocated risks. Risk owners shall be nominated 
from senior management and must have sufficient technical knowledge about the risk and/or risk 
area for which a response is required; they shall also have authority to delegate risk treatment 
actions to officials within and outside their management scope, however, will remain accountable for 
the management of allocated risks. 

(b) Determination of risk response strategies 

Risk response comprises of different strategies, such as: 

a) Avoidance 

Taking action to eliminate the activities that give rise to the risk such as ceasing the activity or 
changing the objective; 

b) Reduction: 

Taking action to reduce either the likelihood or impact of a risk or both such as; influencing 
regulations & public perception; implementing business continuity plans; or reorganising and 
restructuring. 

c) Sharing: 

Taking action (within the limitations of Treasury Regulation 12.1.1.) to transfer the loss or liability 
to third parties through: 

• Insurance 

• Outsourcing; and 

• Partnerships 

d) Acceptance: 

Risk acceptance refers to taking no action to affect likelihood or impact and is usually 
considered for low risks. 

Management shall identify risk response strategies and consider their effect on risk likelihood 
and risk impact in relation to the institution’s risk tolerance and cost benefit analysis, and then 
design and implement risk treatment plans. 

(c) Development of risk treatment plans. 

The purpose of the Risk Treatment Plan is to give HSRC management and stakeholders, peace of 
mind that significant risks are being effectively managed and will help bring greater focus to HSRC’s 
risk and planning arrangements. Key Risk Indicators (KRIs) for each risk shall be identified as part 
of the Risk Treatment Plans and submission dates for performance data shall be shown on these 
plans for reference. 
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(d) Implementing treatment plans 

Responsibility for treatment of risk shall be borne by risk owners who are selected because they are 
best able to control the risk. To ensure successful implementation of risk treatment plans the HSRC 
Board has delegated management to develop an effective management system which specifies the 
methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors 
them against specified criteria. 

Where after treatment there is a residual risk, a decision shall be taken based on the Risk Response 
Framework endorsed by the HSRC Board as to whether to retain this risk or enhance the risk 
treatment process. 


3.5. Step 5: Monitoring and review 

Monitoring of risks shall encompass review of the effectiveness of risk treatment plans, strategies and 
the management system set up to control implementation. The objective of monitoring and review is to 
ensure that changing circumstances are incorporated in risk priorities and to ensure that the risk 
management plan remains relevant. 

Factors which may affect the likelihood and consequences of an outcome may change, as may the 
factors which affect the suitability or cost of the various treatment options, therefore regularly repeating 
the risk management process shall be necessary. Review is an integral part of the risk management 
treatment plan. 

(a) Monitoring 

Monitoring of the presence and functioning of various elements required to ensure effectiveness of 
ERM shall be done in two ways, namely; ongoing monitoring activities and separate evaluations. 
The monitoring process shall provide assurance that there are appropriate controls in place and 
that, policies and procedures are understood and followed. 

a) Ongoing Monitoring Activities 

Ongoing monitoring activities shall serve to monitor the effectiveness of risk management in the 
ordinary course of running the HSRC business. These shall include regular management and 
supervisory activities, variance analysis, performance evaluations, reconciliations and other 
routine management actions. 

b) Separate Evaluations 

Separate evaluations shall be conducted periodically for significant risks by the Chief Risk 
Officer and the Internal Auditors focusing on the effectiveness and adequacy of controls as well 
as the overall effectiveness of risk management activities. Where deficiencies are identified, the 
relevant line managers shall on a continuous basis monitor the implementation of 
recommendations in order to evaluate their effectiveness. Where such risk management 
recommendations fail, they shall immediately report such failure to the CRO. 

The CRO shall assists relevant heads of divisions or line managers in designing and 
implementing remedial measures to minimise the risk exposure whenever there is a need.The 
monitoring and review process shall also determine whether: 

(i) Measures adopted resulted in what was intended; 

(ii) Procedures adopted and information gathered for undertaking the assessment were 
appropriate; 

(iii) Improved knowledge would have helped to reach better decisions and identify what lessons 
could be learnt for future assessments and management of risks. 
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(b) Review 

Effective risk management requires a reporting and review structure to ensure that risks are 
effectively identified and assessed and that appropriate controls and responses are in place. 
Regular audits of policy and standards compliance shall be carried out and standards performance 
reviewed to identify opportunities for improvement. Bearing in mind that the HSRC is a dynamic 
institution operating in dynamic environment; changes in the institution and the environment shall be 
identified and appropriate modifications made to risk management systems. 


3.6. Step 6: Communication & Training 

It is important for risk reporting to demonstrate how well the institution is managing its key risks, this 
requires that risk reporting arrangements for all stakeholders must be defined and communicated. A 
clearly defined risk reporting structure shall facilitate effective communication among stakeholders in the 
risk management process. 

A common risk language, consistent form of reporting and collaboration among stakeholders 
(Committees, Management, Chief Risk Officer, etc) is critical to ensure that risk reports are effectively 
utilised to drive institutional performance. While risk reporting is meant to aid managers to make risk- 
based decisions, it is equally important for such information and decisions to be communicated to 
operational staff and/or relevant officials across the HSRC. 

Perceptions of risk can vary due to difference in assumptions and concepts and the needs, issues and 
concerns of stakeholders as they relate to the risk or the issues under discussion. Stakeholders are 
likely to make judgments of the acceptability of a risk based on their perception of risk. Since 
stakeholders have a significant impact on the decisions made, their perceptions of risk, as well as their 
perceptions of benefits, shall be identified and documented and the underlying reasons for them 
understood and addressed. 

Various sources of internal and external information shall be used to source data for reporting and this 
information could be in quantitative and/or qualitative form. The challenge to process and refine large 
volumes of data into relevant and actionable information; and to keep historical records of analysis, 
trends and decisions shall be overcome by implementing an information system to source, capture, 
process, analyse and report relevant information. 


(a) Communication 

a) Implementing a risk management information system 

The use of a risk management information system will enable management to obtain "real time" 
information for decision making. This will also enhance monitoring activities. Technology may 
provide the necessary audit trail that could be used by risk owners and assurance providers to 
determine whether controls are working effectively, including whether target dates for action 
plans are being fully complied with. 

Although technology may provide value to risk reporting, the Chief Risk Officer shall ensure that 
processes around risk reporting are properly designed before implementation of technology is 
considered. 

Customised reports shall be used as an early warning system. A risk dashboard shall be used 
to expedite the flow of critical information to enhance decision-making. Supplementary 
information shall be included in more detailed reports such as: progress with risk management 
implementation, incident reports, and emerging risk reports. 
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b) Incident reporting system 

Incident reporting provides means of risk monitoring and reviewing the effectiveness of controls 
and the principle of real-time incident reporting for key processes is growing in prominence 
globally. The Health and Safety business unit already has in place incident reporting systems. 
Such reporting systems shall be integrated into the broader risk management incident reporting 
systems in order to avoid duplication of effort and enhance information sharing activities. 

c) Emerging risk warning system 

Emerging risks are risks that were previously unrecognised but may be an imminent threat. 
Such risks may emanate through changes in the regulatory environment, external events, 
internal changes or social trends. 

The risk management agenda of the HSRC shall incorporate a process of identifying emerging 
trends, which could pose risks to the institution. The frequency with which emerging risks are 
deliberately interrogated will be influenced by the rate of change and dynamism the institution is 
confronted with. 


(b) Reporting 

Effective internal and external communication is important to ensure that those responsible for 
implementing risk management, and those with a vested interest understand the basis on which 
decisions are made and why particular actions are required. Reporting on risk shall focus on both 
internal and external stakeholders. 

a) Internal Reporting 

Different stakeholders within the HSRC require different types of risk information in different 
formats, therefore risk reports, although they will be based on a common risk language, shall be 
customized to cater for the needs of the different stakeholders. The following risk reporting 
responsibilities shall be carried out: 

(i) The Chief Risk Officer (CRO) shall determine risk information needs of various stakeholders 
and ensure that risk management processes respond to such needs. 

(ii) Within 48hrs of each risk assessment the CRO shall prepare and submit a draft-risk register 
to the relevant Executive Directors or Business Unit heads and action owners identified 
during the risk assessment process for comments, inputs and commitment on action plans; 

(iii) Once agreement has been reached on the contents of the risk register between the CRO 
and management, a detailed risk assessment report shall be prepared and submitted to the 
relevant managers for sign-off. 

(iv) Signed-off reports shall be considered as official reports of the HSRC and shall be 
distributed to the relevant oversight and auditors as individual reports or as part of a 
consolidated report at the first meeting following the sign-off. 

(v) The content and format of reports shall be determined by information requirements of 
different stakeholders as follows: 


i) The HSRC Board 

The HSRC Board is accountable for risk management within the HSRC and therefore 
should: 

• know about the most significant risks facing the institution; 
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• know the possible effects on shareholder value of deviations to expected 
performance ranges; 

• be assured of appropriate levels of awareness throughout the organisation; 

• know how the organisation will manage a crisis; 

• know the importance of stakeholder confidence in the organisation; 

• be assured that the risk management process is working effectively; 

• publish a clear risk management policy covering risk management philosophy and 
responsibilities; 


ii) Divisions & Business Units: 

Executive Directors and business unit heads are the risk managers and are expected to 
manage risks within their areas of responsibility and make risk-based decisions, 
therefore they should: 

• be aware of risks which fall into their areas of responsibility, the possible impacts 
these may have on other areas and the consequences other areas may have on 
them; 

• have performance indicators which allow them to monitor the key business and 
financial activities, progress towards objectives and identify developments which 
require intervention (e.g. forecasts and budgets) have systems which communicate 
variances in budgets and forecasts at appropriate frequency to allow action to be 
taken; 

• report systematically and promptly to the CRO and executive management any 
perceived new risks or failures of existing control measures. 


iii) Other Officials: 

It is important that other officials are made aware of their risk management 

responsibilities because they are at the forefront of operations and as such can trigger 

risks through their actions or omissions, therefore they should: 

• understand their accountability for individual risks 

• understand how they can enable continuous improvement of risk management 
response 

• understand that risk management and risk awareness are a key part of the 
organisation’s culture 

• report systematically and promptly to senior management any perceived new risks 
or failures of existing control measures. 


The following risk reporting structure shall be utilised to report risk information within the 
HSRC: 
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HSRC RISK REPORTING STRUCTURE 
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b) External Reporting 

Every organisation needs to report to its stakeholders on a regular basis setting out its risk 
management policies and the effectiveness in achieving its objectives. Increasingly 
stakeholders look to organisations to provide evidence of effective management of the 
organisation’s non-financial performance in such areas as community affairs, human rights, 
employment practices, health and safety and the environment. 

Good corporate governance principles require institutions to adopt a methodical approach to 
risk management which: 

(i) protects the interests of stakeholders; 

(ii) ensures that the Board discharges its duties to direct strategy, builds value and monitors 
performance of the organisation; 

(iii) ensures that management controls are in place and are performing adequately. 


Through the annual report, formal reporting of risk management is provided and made available 
to HSRC stakeholders. The formal reporting process addresses: 

(i) the control methods - particularly management responsibilities for risk management; 

(ii) the processes used to identify risks and how they are addressed by the risk management 
systems; 

(iii) the primary control systems in place to manage significant risks; 

(iv) the monitoring and review systems in place; 

Any significant deficiencies uncovered by the risk management system, or within the system 
itself, shall be reported together with the steps taken to deal with them. 


(c) Training 

The ERM Unit is mandated to champion and promote risk management across the HSRC and to 
ensure that: 

a) All officials and managers are aware of what risk management is and what benefits will their 
divisions/units enjoy through risk management; 

b) All officials and managers are aware of HSRC’s approach to risk management and what their 
responsibility for risk management is; 

c) All officials and managers are aware of how risk management is implemented and how to 
participate in the implementation; 

The ERM Unit shall make use of the following mechanisms to communicate the risk management 
message: 

a) Induction for new employees; 

b) Training and workshops; 

c) Briefings; 

d) Intranet; 

e) Internal publications; 
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4. Risk Management Roles & Responsibilities 

Risk management roles have been divided into four categories due to the unique responsibilities of the 
role-players in each category. The categories are as follows: 


4.1. Risk Management Implementers 

All Management and all officials within the HSRC are risk management implementers. Their 
fundamental roles and responsibilities in risk management are outlined as follows: 

(a) Management 

a) Strategic value of Management in risk management 

Management is accountable to the HSRC Board for designing, implementing and monitoring a 
system of risk management, and integrating it into the day-to-day activities of the institution. As 
such Management shall ensure that it is satisfied with the management of risk and prevent risk 
management from becoming a series of activities that are detached from the realities of the 
institution’s business. Risk management, when integrated into the decision-making process 
becomes a valuable strategic management tool for underpinning the efficacy of service delivery 
and value for money. Management shall ensure that risk management is a standing agenda 
item in management meetings. 

b) Management responsibilities for risk management 

To derive optimal benefits, risk management shall be conducted in a systematic manner, using 
proven methodologies, tools and techniques. Management is responsible for executing their 
responsibilities outlined in the risk treatment plans and for integrating risk management into their 
operational routines. 

Other risk management responsibilities for Management include: 

(i) executing their responsibilities as set out in the risk treatment plans; 

(ii) empowering officials to perform effectively in their risk management responsibilities through 
proper communication of responsibilities, comprehensive orientation and ongoing 
opportunities for skills development; 

(iii) aligning the functional risk management methodologies and processes with the institutional 
process; 

(iv) devoting personal attention to overseeing the management of key risks within their area of 
responsibility; 

(v) maintaining a co-operative relationship with the CRO and Risk Champions and Risk 
Owners; 

(vi) providing risk management reports; 

(vii) presenting to the Risk Management and Audit Committees as requested; 

(viii) maintaining proper functioning of the internal control processes within their area of 
responsibility; 

(ix) holding officials accountable for their specific risk management responsibilities; 

(x) Maintaining the functional risk profile within the institution's risk tolerance (ability to tolerate) 
and appetite (risk that it is willing to take); 

(xi) implementing the directives of the CEO or the HSRC Board concerning risk management; 
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(xii) prioritizing and ranking risks in their area of responsibility to focus responses and 
interventions on risks outside the institution’s tolerance levels; 

(xiii) benchmarking risk and risk mitigation activities; 

(xiv) assessing the effectiveness of risk management within their areas of responsibility; and 

(xv) developing and implementing risk response plans or risk treatment plans. 


(b) Other Officials 

a) Strategic value of Other Officials in risk management 

Other Officials are accountable to their managers for implementing and monitoring the process 
of risk management and integrating it into their day-to-day activities. 

b) Risk management responsibilities for Other Officials 

All officials are responsible for managing risks within their areas of responsibility and for 
reporting any emerging risk to management. Officials must ensure that their delegated risk 
management responsibilities are executed and continuously report on progress. Other officials 
are responsible for integrating risk management into their day-to-day activities. 

Additional risk management responsibilities for other officials include: 

(i) applying risk management processes in their respective functions; 

(ii) implementing delegated action plans to address identified risks; 

(iii) informing their supervisors and/or the Risk Management Unit of new risks and significant 
changes in known risks; 

(iv) co-operating with other role players in the risk management process and providing 
information as required; 

(v) familiarity with the overall risk management vision, ERM Strategy, Anti-Corruption Strategy, 
Compliance Strategy and the Business Continuity Management Strategy; 

(vi) acting within the risk appetite and tolerance levels set by the business unit; 

(vii) adhering to the code of conduct and code of ethics of the HSRC; 

(viii) maintaining the functioning of internal control processes, information and communication 
as well as the monitoring systems within their delegated responsibility; 

(ix) participating in risk identification and risk assessment processes within their business unit; 

(x) reporting inefficient, unnecessary or unworkable controls; and 

(xi) reporting suspicion of fraud and corruption through the approved processes of whistle 
blowing. 

Everyone in the HSRC has a part to play in achieving and sustaining vibrant systems of risk 
management and to that extent all officials shall function within a framework of responsibilities 
and performance indicators. Clear objectives and key performance indicators shall be set for 
other officials in respect of their core responsibilities. 
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4.2. Risk Management Support 

(a) Risk Champions 

a) Strategic value of Risk Champions in risk management 

A Risk Champion is a person with the skills, knowledge and power of office required to 
champion a particular aspect of risk management. A key part of the Risk Champion's 
responsibility involves facilitating implementation of risk management principles in their 
areas of responsibility. The Risk Champion also adds value to the risk management 
process by providing support to the CRO in terms of information requirements and reports. 

b) Risk management responsibilities for Risk Champions 

Risk Champions shall act as change agents in the risk management process and ensure 
that action owners within their jurisdiction carry out their risk management responsibilities 
and report on progress. A Risk Champion shall not assume the role of a Risk Owner but 
will assist the Risk Owner to obtain information and resolve risk-related problems. 


(b) Risk Owners 

Risk Owners are those officials responsible for controlling (fully or partly) one of the significant 
risks. Risk Owners shall be appointed by the CEO and their responsibility, amongst others, is to 
complete an annual Risk Treatment Plan for allocated risks, detailing what actions will be taken 
to address the risk including preventative measures, disaster recovery and business continuity 
plans. Reports and statistics on all HSRC risks shall be collated regularly (quarterly) and 
presented to the CRO for review and comment. 

Key Risk Indicators (KRIs) for each risk will be identified as part of Risk Treatment Planning 
and the CRO will provide the necessary support required by Risk Owners to report on each risk 
within their responsibility. 


(c) The Chief Risk Officer 

a) Strategic value of the Chief Risk Officer 

The primary responsibility of the Chief Risk Officer (CRO) is to bring specialist expertise to 
assist the HSRC to embed risk management and leverage its benefits to enhance 
performance. 

The CRO is accountable to the CEO for enabling the business to balance risk and reward 
and is responsible for coordinating the institution's risk management approach. 

As head of the ERM Unit the CRO is the custodian of the ERM Strategy with a mandate to 
coordinate all risk management activities throughout the HSRC. As delegated by the CEO, 
the CRO is responsible for ensuring that an effective and efficient system of risk 
management is in place. Tasked with the overall efficiency of the ERM function as well as 
embedding risk management practices and fostering a risk aware culture within the HSRC, 
the CRO effectively assumes the role of institutional advocate for ERM and brings 
specialist expertise to assist in integrating risk management throughout the Institution. 

b) Responsibilities of the Chief Risk Officer 

Responsibilities of the Chief Risk Officer include: 

(i) working with Senior Management to develop the institution’s vision for risk 
management; 
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(ii) developing, in consultation with management, the institution’s ERM Strategy 
incorporating, inter alia, the: 

• risk policy statement; 

• risk management framework; 

• risk management methodology; 

• anti-corruption strategy; 

• compliance strategy; and 

• business continuity strategy. 

(iii) communicating the institution’s ERM Strategy to all stakeholders and monitoring its 
implementation; 

(iv) facilitating orientation and training of the Risk Management Committee, Audit & Risk 
Committee and the HSRC Board on the ERM Strategy; 

(v) training all stakeholders in their risk management functions; 

(vi) continuously driving risk management to higher levels of maturity; 

(vii) assisting management with risk identification, assessment and development of 
response strategies; 

(viii) monitoring the implementation of risk response strategies; 

(ix) collating, aggregating, interpreting and analysing the results of risk assessments to 
extract risk intelligence; 

(x) reporting risk intelligence to Management, the Risk Management Committee, Audit & 
Risk Committee and the HSRC Board; and 

(xi) participating in developing a combined assurance plan for the institution with Internal 
Audit, Management and the Auditor-General. 


4.3. Risk Management Assurance Providers 
(a) Internal Audit Function 

a) Strategic value of the Internal Audit Function in risk management 

The Internal Audit function is accountable to the HSRC Board via the Audit & Risk 
Committee for providing independent assurance on the effectiveness of the system of risk 
management. Hence, the Internal Auditors shall evaluate the effectiveness of the entire 
system of risk management and provide recommendations for improvement where 
necessary. 

Internal Auditors shall pursue a risk-based approach to audit-planning as opposed to a 
compliance approach, in order to assess whether the processes intended to serve as 
controls are appropriate risk controls. 

b) Risk management responsibilities for the Internal Audit Function 

In terms of the International Standards for the Professional Practice of Internal Auditing, 
determining whether risk management processes are effective is a judgment resulting from 
the Internal Auditor’s assessment that: 

(i) Institutional objectives support and align with the institution’s mission; 
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(ii) Significant risks are identified and assessed in the context of strategic objectives; 

(iii) Risk responses are appropriate to limit risk to an acceptable level; and 

(iv) Relevant risk information is captured and communicated in a timely manner to enable 
the Accounting Officer / Authority, Management, Risk Management Committee, Audit 
Committee and other officials to carry out their responsibilities. 

Other responsibilities of the Internal Audit Function in risk management include: 

(i) Providing assurance that the risk management culture in the institution is an 
appropriate one; 

(ii) Providing assurance that the risk register is an appropriate reflection of the risks facing 
the institution; 

(iii) Providing assurance that risk management is carried out in a manner that benefits the 
HSRC; and 

(iv) Providing assurance that the risk management strategy; risk treatment plans and anti¬ 
corruption strategy have been effectively implemented within the HSRC. 


(b) External Audit (Auditor General) 

a) Strategic value of the Internal Audit Function in risk management 

The Auditor-General is the supreme audit institution of South Africa. It is an independent 
institution with full legal capacity and is subject only to the Constitution and the law, 
including the Public Audit Act, Act No. 25 of 2004. 

b) Risk management responsibilities for the External Auditors 

The responsibilities of the Auditor General (AG) are outlined in the Public Audit Act. As 
external auditors the AG is required to perform an audit of the HSRC’s activities on an 
annual basis or whenever it is required and prepare a report on the audit reflecting their 
independent opinion and statements on: 

(i) Whether the annual financial statements of the HSRC fairly present in all material 
respects, the financial position at a specific date and results of HSRC operations and 
cash flow for the period under review; 

(ii) HSRC’s compliance with any applicable legislation relating to financial matters, 
financial management and other related matters; and 

(iii) The reported information relating to the performance of the HSRC against 
predetermined objectives. 


(c) Combined Assurance 

King III requires that a combined assurance model should be applied to provide a coordinated 
approach to all assurance activities. The objectives of the combined assurance model are 
mainly to: 

a) Identify and specify the sources of assurance over identified risks; 

b) Provide the Risk Management Committee, the HSRC Board and Executive Management 
with a framework of the various assurance parties; 

c) Link risk management activities with assurance activities to assist the HSRC Board to 
review the effectiveness of the risk management system; and 
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d) Provide a basis for identifying any areas of potential assurance gaps. 

A framework for a Combined Assurance Plan shall form part of the ERM Strategy 
Guidelines and Templates. 


4.4. Risk Management Oversight 

HSRC’s oversight framework on risk management is made up of the following structures: 

• Research Ethics Committee 

• Risk Management Committee 

• Audit & Risk Committee 

• The Accounting Authority (HSRC Board) 

• The Executive Authority (The Minister of Science & Technology) 


(a) Ethics Committee 

a) Strategic value of the Research Ethics Committee in risk management 

The HSRC Research Ethics Committee was established to promote research ethics and 

research integrity in the organization, including the ethics review of research proposals. It is 

made up of members appointed by the CEO which include an international ethics adviser. 

The responsibilities of the HSRC Research Ethics Committee shall be defined in their 

Terms of Reference and reviewed annually. 

b) High level responsibilities of the Research Ethics Committee 

The responsibilities of the Research Ethics Committee include: 

(i) reviewing and monitoring research proposals and practices in the HSRC from an 
ethical perspective; 

(ii) promoting respect for human rights in research, as well as ethical values and 
research integrity, both within the HSRC and within the broader social sciences 
community in South Africa; 

(iii) reviewing the protocols of all research projects involving human participants, 
including health-related projects proposed to be undertaken by members of staff of 
the HSRC. The purpose of this review is to protect the dignity, rights, safety and 
well-being of all human participants of research. Special attention will be paid to 
research that may include vulnerable participants; 

(iv) review, advise on, and approve or reject research protocols involving human 
participants within the borders of South Africa submitted to it by researchers in any 
Province in the Republic of South Africa or internationally who are not members of 
staff of the HSRC; 

(v) review and refer complaints of any research ethics transgression and / or research- 
related misconduct by HSRC staff members and other researchers on projects 
where protocols have been approved by the committee. Reports of alleged unethical 
practices by HSRC research staff in the course of field research approved by the 
REC may be reported by members of the public on a dedicated toll-free HSRC ethics 
hotline; and 

(vi) monitoring of approved research with or without advance notification to the Principal 
Investigator, provided that on arrival at the site the monitor furnishes the researchers 
on duty with proof of identification and REC mandate. 
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(b) Risk Management Committee 

a) Strategic value of the Risk Management Committee in risk management 

The Risk Management Committee is a governance structure accountable to the HSRC 
Board through the Audit & Risk Committee. It is established to assist in designing, 
implementing & coordinating risk management activities within the HSRC. The 
responsibilities of the RMC shall be formally defined in their Terms of Reference and 
reviewed annually. 

b) Risk management responsibilities for the Risk Management Committee 

The responsibilities of the Risk Management Committee include: 

(i) reviewing and recommending for approval the: 

• Risk management policy statement; 

• Enterprise Risk Management (ERM) Strategy; 

• Risk appetite and risk tolerance framework; 

• Risk identification and assessment methodology; 

• Any material findings and recommendations by assurance providers; 

• Combined assurance plan; 

• Risk management plan; 

• Any legal matters facing the HSRC and ensure that management are accountable 
for acts or omissions leading to litigation against the HSRC; 

• The adequacy of insurance cover taken; 

• Anti-corruption strategy; 

• Cases of alleged fraud and related matters; 

• Incidents resulting from failed internal control measures affecting business 
continuity and the health or safety of officials, tenants and the public. 

(ii) evaluation of the effectiveness of mitigating strategies to address material risks; 

(iii) evaluation of the effectiveness of monitoring systems pertaining to corruption risks 
and the results of management investigation and follow-up on alleged fraud and 
related matters; 

(iv) monitoring contractual arrangements and management of contracts for projects 
employing 40 or more people to ensure that HSRC obtains and provides value for 
money. 


(c) Audit & Risk Committee 

a) Strategic value of the Audit & Risk Committee in risk management 

The responsibilities of the Audit & Risk Committee with respect to risk management shall 
be formally defined in its charter. The Audit & Risk Committee is responsible for oversight 
of the institution’s control, governance and risk management. Furthermore, the Committee 
shall provide the HSRC Board with independent counsel, advice and direction in respect of 
risk management. HSRC stakeholders rely on the Audit & Risk Committee for an 
independent and objective view of the institution's risk management effectiveness. In this 
way, the Audit & Risk Committee shall provide valuable assurance that stakeholder 
interests are protected. 

b) Risk management responsibilities for the Audit & Risk Committee 

The responsibilities of the Audit & Risk Committee include: 

(i) reviewing and recommending disclosures on matters of risk in the annual financial 
statements; 
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(ii) reviewing and recommending disclosures on matters of risk and risk management in 
the annual report; 

(iii) providing regular feedback to the HSRC Board on the adequacy and effectiveness of 
risk management in the institution, including recommendations for improvement; 

(iv) ensuring that the internal and external audit plans are aligned to the risk profile of the 
institution; 

(v) satisfying itself that it has appropriately addressed the following areas: 

• financial reporting risks, including the risk of fraud; 

• internal financial controls; and 

• IT risks as they relate to financial reporting. 


Furthermore, in discharging its oversight responsibilities relating to risk management, the 

Committee: 

(i) Reviews and critiques the risk appetite and risk tolerance, and recommends this for 
approval by the HSRC Board; 

(ii) Gains thorough understanding of the risk management policy statement, ERM 
strategy, business continuity plans, and the anti-corruption strategy of the HSRC to 
enable them to add value to the risk management process; 

(iii) Reviews the completeness of the risk assessment process implemented by 
management to ensure that all possible categories of risks, both internal and external 
to the institution, have been identified during the risk assessment process. 

(iv) Reviews the risk profile and management action plans to address the risks; 

(v) Reviews adequacy of adapted risk responses; 

(vi) Monitors progress made with risk treatment plans; 

(vii) Reviews progress made with regards to the implementation of the risk management 
strategy; 

(viii) Facilitates and monitors the coordination of all assurance activities implemented by 
the institution; 

(ix) Reviews the process implemented by management in respect of anti-corruption and 
ensures that all corruption related incidents have been followed up appropriately; 


(d) The Accounting Authority (HSRC Board) 

a) Strategic value of the HSRC Board in risk management 

The ultimate responsibility for the whole process of risk management lies with the HSRC 
Board as the Accounting Authority who must ensure that the responsibility for risk 
management is delegated to all levels of management and to all employees. 

By setting the “tone at the top” the Board promotes accountability and integrity and it 
ensures that risk management is integrated into all strategic management processes and 
that all significant risks are addressed. 
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b) Risk management responsibilities for the HSRC Board 

Risk management responsibilities for the HSRC Board include: 

(i) Development and publishing of a risk management policy. This is a statement that 
declares the HSRC's commitment to risk management and is published for accessibility 
by all stakeholders of the institution. 

(ii) Ensuring that risk management activities are integrated into performance agreements 
of management.This will in turn ensure that the institution operates in a conducive 
environment where the overall attitude, awareness, and actions of heads of business 
units and management regarding internal controls and their importance to the institution 
is at par with the stated vision, values and culture of the institution. 


(e) The Executive Authority (Minister: Science & Technology) 

a) Strategic value of the Executive Authority in risk management 

The Executive Authority is the Minister of Department: Science & Technology. The Minister 
is accountable to parliament in terms of the achievement of goals and objectives of the 
HSRC. The Minister shall take an interest in risk management to the extent necessary to 
obtain comfort that properly established and functioning systems of risk management are in 
place to protect the HSRC against significant risks. As risk management is an important 
tool to support the achievement of this goal, the Executive Authority shall provide oversight 
on governance and risk management within the HSRC. 

b) Risk management responsibilities for the Executive Authority 

Risk management responsibilities of the Executive Authority include: 

(i) ensuring that institutional strategies are aligned to the HSRC mandate; 

(ii) obtaining assurance that key risks inherent in the institution’s strategies were 
identified and assessed, and are being properly managed; 

(iii) assisting the HSRC Board to deal with fiscal, intergovernmental, political and other 
risks beyond their direct control and influence; 

(iv) insisting on the achievement of objectives, effective performance management and 
value for money; 

(v) Awareness of and concurring with the HSRC's risk appetite and tolerance levels; 

(vi) Providing oversight on the HSRC’s risk profile and considering it against the 
institution's risk tolerance; 

(vii) Requiring that management should establish a set of values by which every 
employee should abide by; 

(viii) Considering the following aspects which if not considered could affect the HSRC's 
risk culture: 

• The design and functioning of control activities, information and communication 
systems, and monitoring activities; 

• The quality and frequency of reporting; 

• The way the institution is managed including the type of risks accepted; 

• The appropriateness of reporting lines. 
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5. Review of the Risk Management Methodology 

The HSRC Board shall review the risk management methodology on an annual basis to ensure that it 
remains appropriate to the activities of the HSRC, and that the latest best practice on risk management is 
adopted. 


6. Approval 

This Risk Management Methodology was approved by the HSRC Board and the Chief Executive Officer on 

25 May 2011. 



Dr Olive Shisana 
Chief Executive Officer 
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